I thought Risk-Based Vulnerability Management (RBVM) had been overcome by events - namely Kenna getting bought, and I think recently going EOL.
Fixing the right vulnerabilities on the right timeline is just a huge challenge as you point out - for a lot of reasons. The 'fix' I've been focused on, especially in middle market companies is resilience and recovery (plus patching where you can).
There's also an organizational function tied to roles and responsibiliites - separating the VM identification from the pattching fix feels artificial today - 20 years ago we needed the separation for honesty and integrity. Today, and looking at the future, hiding known issues is only going to get harder in most organizations.
I thought Risk-Based Vulnerability Management (RBVM) had been overcome by events - namely Kenna getting bought, and I think recently going EOL.
Fixing the right vulnerabilities on the right timeline is just a huge challenge as you point out - for a lot of reasons. The 'fix' I've been focused on, especially in middle market companies is resilience and recovery (plus patching where you can).
There's also an organizational function tied to roles and responsibiliites - separating the VM identification from the pattching fix feels artificial today - 20 years ago we needed the separation for honesty and integrity. Today, and looking at the future, hiding known issues is only going to get harder in most organizations.
If you can’t segment it, monitor it, also can’t patch it fast, it might be time to consider moving that function to SaaS!
Very poetic!